<html>
<head><meta charset="utf-8"><title>Disclosure policy · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Disclosure.20policy.html">Disclosure policy</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="178043284"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Disclosure%20policy/near/178043284" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DPC <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Disclosure.20policy.html#178043284">(Oct 13 2019 at 15:53)</a>:</h4>
<p>So say suppose there is a vulnerability/advisory by rust sec, how do we, as crate maintainers go about fixing it? </p>
<p>For context, for a crate I co-maintain, there was a vulnerability and one of the co-maintainers posted it on <a href="https://www.reddit.com/r/rust/comments/dguqt3/vulnerability_in_sodiumoxide_generichashdigesteq/" target="_blank" title="https://www.reddit.com/r/rust/comments/dguqt3/vulnerability_in_sodiumoxide_generichashdigesteq/">https://www.reddit.com/r/rust/comments/dguqt3/vulnerability_in_sodiumoxide_generichashdigesteq/</a>. </p>
<p>But I feel this may not be the right thing. Any pointers?</p>



<a name="178045899"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Disclosure%20policy/near/178045899" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Disclosure.20policy.html#178045899">(Oct 13 2019 at 17:04)</a>:</h4>
<p>we've talked about putting every advisory on Reddit /cc <span class="user-mention" data-user-id="127617">@Shnatsel</span></p>



<a name="178045901"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Disclosure%20policy/near/178045901" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Disclosure.20policy.html#178045901">(Oct 13 2019 at 17:04)</a>:</h4>
<p>seems good to me</p>



<a name="178045965"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Disclosure%20policy/near/178045965" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Disclosure.20policy.html#178045965">(Oct 13 2019 at 17:06)</a>:</h4>
<p>Helping make sure folks are running cargo-audit in CI, get github to set notices/PRs, and have the thing that audits <a href="http://crates.io" target="_blank" title="http://crates.io">crates.io</a> running and causing people to send PRs seems more important than publicizing individual vulns, IMO.</p>



<a name="178050705"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Disclosure%20policy/near/178050705" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DPC <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Disclosure.20policy.html#178050705">(Oct 13 2019 at 19:09)</a>:</h4>
<p>Thanks <span class="user-mention" data-user-id="132721">@Tony Arcieri</span></p>



<a name="178052866"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Disclosure%20policy/near/178052866" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Disclosure.20policy.html#178052866">(Oct 13 2019 at 20:08)</a>:</h4>
<p>Posting vulnerabilities increases visibility for the entire RustSec effort, which is why I suggested them. It is otherwise not particularly discoverable other than through word-of-mouth.<br>
Alerting major dependents directly sounds like a good thing too. <a href="https://gitlab.com/zachreizner/crates-audit" target="_blank" title="https://gitlab.com/zachreizner/crates-audit">https://gitlab.com/zachreizner/crates-audit</a> lets you find all crates affected, including transitive dependents</p>



<a name="178052893"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Disclosure%20policy/near/178052893" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Disclosure.20policy.html#178052893">(Oct 13 2019 at 20:09)</a>:</h4>
<p>Also, CI is really not the place to run cargo-audit - it should not block development, but it should prompt you to rebuild all your binaries used in production.</p>



<a name="178053027"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Disclosure%20policy/near/178053027" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Disclosure.20policy.html#178053027">(Oct 13 2019 at 20:12)</a>:</h4>
<p>I like running it in CI. Not everything you run in CI necessarily needs to block a merge</p>



<a name="178053032"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Disclosure%20policy/near/178053032" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Disclosure.20policy.html#178053032">(Oct 13 2019 at 20:12)</a>:</h4>
<p>but also you could run it on a schedule</p>



<a name="178056111"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Disclosure%20policy/near/178056111" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DPC <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Disclosure.20policy.html#178056111">(Oct 13 2019 at 21:37)</a>:</h4>
<p>So what should be the next step? Yank all affected releases?</p>



<a name="178056654"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Disclosure%20policy/near/178056654" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Disclosure.20policy.html#178056654">(Oct 13 2019 at 21:53)</a>:</h4>
<p>there's been a lot of back and forth on that one. I'd personally recommend it, especially for a security vulnerability</p>



<a name="178056661"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Disclosure%20policy/near/178056661" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Disclosure.20policy.html#178056661">(Oct 13 2019 at 21:53)</a>:</h4>
<p>some people complain it's too disruptive, but I hope they don't complain it's too disruptive in this case</p>



<a name="178057136"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Disclosure%20policy/near/178057136" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Disclosure.20policy.html#178057136">(Oct 13 2019 at 22:07)</a>:</h4>
<p><span class="user-mention" data-user-id="120823">@DPC</span> Oh yes, yanking all affected releases is a really good idea. If there are some releases that are not semver-compatible with the fixed version and people still use them, backport the fix to that series and make a new release there, then yank everything affected.</p>



<a name="178057596"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Disclosure%20policy/near/178057596" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Disclosure.20policy.html#178057596">(Oct 13 2019 at 22:20)</a>:</h4>
<p>The complaints about yanking were for cases when people don't provide a semver-compatible version with the fix</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>